A widely-used open-source project hosted on GitHub, named "Solana-pumpfun-bot," has been revealed to contain malicious code designed to steal cryptocurrencies from users' wallets. The discovery was made by security analysts after a victim reported unauthorized transfers following the use of this software.
Incident Overview and Initial Report
On July 2, 2025, a victim contacted security experts to investigate the theft of their digital assets. The user had executed code from the "Solana-pumpfun-bot" repository just one day prior to the incident. Blockchain analysis indicated that the stolen funds were being routed to a known exchange platform.
Further inspection exposed a multi-layered attack strategy. The malicious actor impersonated a legitimate open-source project to lure developers into downloading and running harmful scripts. A key dependency named "crypto-layout-utils" was also identified and subsequently removed from the official package registry.
How the Attack Operated
The attacker uploaded a tampered version of the software, replacing genuine download links with malicious ones. Once installed, the program scanned the victim's computer for wallet-related files and exfiltrated sensitive data, including private keys, to a server controlled by the attacker.
The threat actor managed multiple GitHub accounts to create a false sense of credibility and popularity around the project. Several forked repositories contained references to another malicious package named "bs58-encrypt-utils," suggesting a broader campaign.
This coordinated effort combined social engineering and technical deception, making the scam highly effective and difficult to detect.
Evolution of Crypto Scams and Social Engineering
While core hacking techniques have not drastically changed, attackers are adopting more sophisticated and subtle methods. Fraudulent browser extensions, compromised hardware wallets, and psychologically manipulative tactics are on the rise.
Security professionals note a clear shift from purely on-chain attacks to off-chain entry points. These include phishing through social media, fake authentication processes, and exploitation of user behavior.
For example, attackers often redirect users to legitimate-looking platforms like Notion or Zoom. When users attempt to download software, they are served a malicious file instead.
In other cases, hackers send compromised hardware wallets to victims, falsely claiming they have won a giveaway or that their current device is at risk. The ultimate goal is to create a sense of urgency or fear, prompting rash decisions.
Phrases like “risk signature detected” are used to trigger panic, leading users to click harmful links or disclose confidential information.
Broader Ecosystem Threats
Some recent attacks have also leveraged new features introduced in blockchain upgrades, such as EIP-7702 on Ethereum. Additionally, account takeover attempts via messaging platforms like WeChat have become more frequent.
According to industry reports, Ethereum recorded the highest security-related losses across all ecosystems in the first half of 2025, with DeFi platforms losing approximately $470 million.
👉 Explore security best practices for crypto wallets
Frequently Asked Questions
What is the "Solana-pumpfun-bot" scam?
It is a malicious GitHub project that tricks users into running code that steals cryptocurrency private keys and wallet data. The attackers used fake accounts and manipulated dependencies to appear legitimate.
How can I avoid downloading malicious crypto software?
Always verify the authenticity of open-source repositories. Check contributor history, review dependencies, and use official websites or package managers for downloads. Avoid executing code from unverified sources.
What should I do if I’ve already used this bot?
Immediately transfer funds to a new secure wallet generated on a clean device. Revoke any granted permissions and monitor involved addresses for suspicious activity.
Why are social engineering attacks becoming more common?
Because users are increasingly aware of traditional technical threats, attackers are shifting to psychological manipulation. Exploiting trust and triggering emotional responses prove highly effective.
Are hardware wallets safe from such attacks?
While generally more secure, hardware wallets can be compromised if users import keys from malicious software or use devices sent by untrusted third parties.
How do I report a suspicious GitHub project?
Use GitHub’s “Report” feature to flag malicious repositories. You can also notify security firms or community-led watchdog groups specializing in blockchain threats.